;function for creating query takes two variables
(deffunction isvv
(?p ?oid)
;add {Process:" to x
(bind ?x " { \"Process\" : \"")
;append the value in p to x    
(bind ?x (str-cat ?x ?p))
;add ,Protocol:" to x
(bind ?x (str-cat ?x "\", \"Protocol\":\""))
;append the value in oid to x
(bind ?x (str-cat ?x ?oid))
(bind ?x (str-cat ?x "\"}"))
;when the query is built use dbcount and return the value
(bind ?return-value (dbcount "localhost" "test.log" ?x))
(return ?return-value)
)
;the final query will be {Process:"?p-value",Protocol:"?oid-value"}
;define a rule checks for the existence of two facts
;fact 1: Process
;fact 2: Protocol
(defrule test
(Process ?p)
(Protocol ?oid)
;check if isvv return a value greater than 0. if yes then rule is matched
(test (> (isvv ?p ?oid) 0))
=>
;Register the matched rule with the name "valid vulnerability"
(alert valid-vulnerability)
)
